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Claims 1- 68 are allowed over the prior art of record and in light of applicant's 
arguments. 

EXAMINER'S AMENDMENT 

An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1 .312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview 
with John Smart on 4/12/09. 

The application has been amended as follows: Please replace claims 1-68 with 
the following: 

1 . (Currently amended) A method fef employing supplemental authentication to prevent 
an inadequately secured client from compromising a host that offers a service that the client 
wishes to access authorizing a client to access a sorvico based on compliance - with a policy 
required for access to the service , the method comprising: 

specifying a policy required for access to the service, the policy including security 
relevant requirements that the client must meet before the client is provided access to the service; 

specifying a supplemental authentication policy to be enforced upon the client's request 
to access the service, the policy establishing firew all and anti-virus measures required to be 
installed and operational at the client in order for the client to be considered adequately secured 
for accessing the service; 

receiving detecting a request for access to the service from the client; 

attempting primary authentication of the client based on credentials presented by the 

client; 

if the client is authenticated based on the credentials passes primary authentication , 
attempting secondary authentication determining whether the client is in compliance with said 
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policy based by testing the client's current firew all and anti-virus measures against said policy to 
confirm that the client us adequately secured for accessing the service based, at least in part, on 
attributes of the client ; and 

if the client is determined to be in compliance with said policy fails to pass both primary 
and secondary authentications , providing denying the client access to the service. 

2. (Original) The method of claim 1, wherein the service comprises a remote service 
accessible by the client through a network. 

3. (Original) The method of claim 1, further comprising: 

restricting access to the service if the client is determined to be non-compliant with said 

policy. 

4. (Original) The method of claim 3, wherein restricting access includes assigning 
limited access privileges to the client. 

5. (Original) The method of claim 3, wherein restricting access includes issuing a 
Kerberos ticket specifying limited access privileges if the client is determined to be non- 
compliant with the policy. 

6. (Original) The method of claim 1, wherein said policy comprises a security policy. 

7. (Original) The method of claim 6, wherein said security policy includes security 
measures required on the client. 

8. (Currently amended) The method of claim 1, wherein said policy includes anti virus 
anti-spyware measures required on the client. 



9. (Original) The method of claim 1, wherein said step of providing access includes 
issuing a Kerberos ticket specifying access privileges provided to the client. 
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10. (Currently amended) The method of claim 1, wherein attributes of the client include 
the policy further specifies that a selected one of a file integrity policy be in effect at the client, a 
file be installed at the client, a process be running at the client, a particular checksum value exist 
at the client, and a particular registry entry exist at the client. 

1 1 . (Currently amended) The method of claim 1 , wherein said detecting receiving step 
includes detecting receiving a request for access to a server by a remote client. 

12. (Currently amended) The method of claim 1 , wherein said detecting receiving step 
includes detecting receiving a request for access to a service on a computer system by another 
process on the computer system. 

13. (Currently amended) The method of claim 1, wherein said attempting primary 
authentication step includes authentication based on user identity. 

14. (Currently amended) The method of claim 1, wherein said attempting primary 
authentication step includes using a selected one of Kerberos authentication, Pluggable 
Authentication Module (PAM) authentication, Extensible Authentication Protocol (EAP) 
authentication, Generic Security Service API (GSS-API) authentication, and trust negotiation in 
TLS (TNT) authentication. 

15. (Original) The method of claim 1, wherein said credentials include a selected one of 
a user name, a password, and a certificate. 

16. (Currently amended) The method of claim 1, wherein said attempting secondary 
authentication determining step includes obtaining attribute firewall and anti-virus information 
from the client. 



17. (Currently amended) The method of claim 16, wherein said step of obtaining firewall 
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and anti-virus information from the client includes requesting attribute firewall and anti-virus 
information collected by a client-side component. 

18. (Currently amended) The method of claim 1, wherein said attempting secondary 
authentication determining step includes substeps of: 

providing a copy of the policy to the client; and 

performing a compliance check at the client to determine compliance with the policy. 

19. (Currently amended) The method of claim 1, wherein said attempting secondary 
authentication determining step includes obtaining information from a security evaluation service 
that has previously evaluated compliance by the client with the policy. 

20. (Previously presented) A computer-readable storage medium having processor- 
executable instructions for performing the method of claim 1 . 

21 . (Original) A downloadable set of processor-executable instructions for performing 
the method of claim 1 . 

22. (Currently amended) A system for authenticating and assigning access privileges to a 
client device for providing supplemental authentication to prevent an inadequately secured client 
device from compromising a host that offers access to a service, the system comprising: 

a supplemental authentication policy specifying access privileges to be assigned to a 
client device based on security-related attributes of the client device that are relevant to the 
client's client device's access of the servic e, said policy establishing firewall and anti-virus 
measures required to be installed and operational at the client device in order for the client device 
to be considered adequately secured to access the service ; 

a primary authentication module for receiving a request from a given client device for 
access to the service and determining whether to authenticate the given client device for access 
to the service , wherein the given client device is denied access to the service if the primary 
authentication module cannot authenticate the device ; and 
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a supplemental authentication module for examining current security-related attributes of 
a the given client device authenticated by said primary authentication module and assigning 
access privileges to determining whether to authenticate the given client device by testing 
whether the given client device's current firewall and anti-virus measures satisfy said policy 
based on the polic y , wherein the given client device is denied access to the service if the 
supplemental authentication module cannot authenticate the device . 

23. (Original) The system of claim 22, wherein said policy comprises a security policy. 

24. (Original) The system of claim 22, wherein said policy includes security attributes of 
the client device. 

25. (Currently amended) The system of claim 22, wherein said stop of examining 
determines whether specified anti-virus measures are in effect on the client device. 

26. (Currently amended) The system of claim 22, wherein said step of examining 
attributes of the client device includes examining supplemental authentication module examines 
a selected one of a file integrity policy in effect at the client device, a file installed at the client 
device, a process running at the client device, a particular checksum value at the client device, 
and a registry entry at the client device. 

27. (Original) The system of claim 22, wherein said primary authentication module uses 
a selected one of Kerberos authentication, Pluggable Authentication Module (PAM) 
authentication, Extensible Authentication Protocol (EAP) authentication, Generic Security 
Service API (GSS-API) authentication, and trust negotiation in TLS (TNT) authentication. 

28. (Original) The system of claim 22, wherein said primary authentication module 
authenticates the client device based upon user identity. 
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29. (Original) The system of claim 28, wherein the client device provides a user name 
and password to said primary authentication module for authenticating user identity. 

30. (Original) The system of claim 28, wherein the client device provides a digital 
certificate to said primary authentication module for authenticating user identity. 

3 1 . (Currently amended) The system of claim 22, wherein the supplemental 
authentication module includes a component on the client device for collecting attribute 
information about firewall and anti-virus measures . 

32. (Currently amended) The system of claim 3 1 , wherein the component on the client 
device evaluates the collected attribute information about firewall and anti-virus measures at the 
client device for determining compliance of the client device with the policy. 

33. (Original) The system of claim 32, further comprising: 
a policy server for providing the policy to the client device. 

34. (Currently amended) The system of claim 22, wherein the supplemental 
authentication module receives information about attributes firewall and anti-virus measures of 
the client device from the client device. 

35. (Currently amended) The system of claim 34, wherein the client device provides 
attribute information about firewall and anti-virus measures to the supplemental authentication 
module in response to a message from the supplemental authentication module. 

36. (Currently amended) The system of claim 35, wherein said attribute information 
about firewall and anti-virus measures is provided as a selected one of a text string, an Extensible 
Markup Language (XML) document, and an Abstract Syntax Notation One (ASN.l) file. 



37. (Original) The system of claim 22, wherein the supplemental authentication module 
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permits access to the service if the client device is in compliance with the policy. 

38. (Original) The system of claim 22, wherein the supplemental authentication module 
issues a Kerberos ticket specifying the client device's access privileges. 

39. (Original) The system of claim 22, wherein the supplemental authentication module 
restricts access to the service if the client device is non-compliant with the policy. 

40. (Original) The system of claim 22, further comprising: 

a policy server in communication with the supplemental authentication module for 
evaluating compliance by the client device with the policy based upon attributes of the client 
device. 

41 . (Original) The system of claim 22, wherein the supplemental authentication module 
comprises a selected one of an anti-virus engine, a configuration checker, and a security engine. 

42. (Currently amended) A method for assigning privileges to a client to use a service 
based on an access policy providing supplemental authentication to prevent an inadequately 
secured client from compromising a host that offers a service that the client wishes to access , the 
method comprising: 

specifying an a supplemental authentication access policy for assigning privileges to a 
client to use the service based on security attributes of the client, the policy including security 
relevant requirements that the client must meet before the client is provided access to the service 
establishing firewall and anti-virus measures required to be installed and operational at the client 
in order for the client to be considered adequately secured for accessing the service ; 

receiving detecting a request for use of the service from a client; 

attempting primary authentication of the client based on user identity information 
provided by the client; 

if the client is authenticated based on user identity, collecting attribute information from 
the client attempting supplemental authentication by testing whether the client's current firewall 
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and anti-virus measures satisfy said policy ; and 

assigning privileges to the client to use the service based on the collected attribute 
information and the access policy whether the client's firewall and anti-virus measures satisfy 
said policy, so that the client is denied access to the service if insufficient privileges are assigned . 

43. (Original) The method of claim 42, wherein said step of assigning privileges includes 
blocking access to the service if the client is determined to be non-compliant with the access 
policy. 

44. (Original) The method of claim 42, wherein said step of assigning privileges includes 
restricting access to the service if the client is determined to be non-compliant with the access 
policy. 

45. (Original) The method of claim 42, wherein set step of assigning privileges includes 
issuing a Kerberos ticket to the client. 

46. (Original) The method of claim 42, wherein said access policy includes security 
measures required on the client. 

47. (Currently amended) The method of claim 42, wherein said access policy includes 
anti virus anti-spyware measures required on the client. 

48. (Original) The method of claim 42, wherein said access policy includes an attribute 
required for the client. 

49. (Original) The method of claim 48, wherein said attribute includes a selected one of a 
file integrity policy in effect at the client, a file installed at the client, a process running at the 
client, a particular checksum value at the client, and a registry entry at the client. 

50. (Currently amended) The method of claim 42, wherein said detecting receiving step 
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includes detecting receiving a request for access to a server by a remote client. 

5 1 . (Currently amended) The method of claim 42, wherein said collecting attempting 
supplemental authentication step includes requesting attribute information from the client. 

52. (Original) The method of claim 51, wherein the attribute information is provided as a 
selected one of a text string, an Extensible Markup Language (XML) document, and an Abstract 
Syntax Notation One (ASN.l) file. 

53. (Currently amended) The method of claim 42, wherein said collecting attempting 
supplemental authentication step includes using a client-side component for collecting attribute 
information. 

54. (Original) The method of claim 53, wherein said client-side component determines 
whether the client is in compliance with the access policy based on the collected attribute 
information. 

55. (Original) The method of claim 53, wherein said client-side component sends the 
collected attribute information to a policy server for determining whether the client is in 
compliance with the access policy. 

56. (Previously presented) A computer-readable storage medium having processor- 
executable instructions for performing the method of claim 42. 

57. (Original) A downloadable set of processor-executable instructions for performing 
the method of claim 42. 

58. (Currently amended) In a system comprising a client computer connecting to a 
service through a network, a method for regulating access to the service based on a specified 
supplemental authentication access policy, the policy including security - relevant requirements 
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about firewall and anti-virus measures that the client computer must meet before the client 
computer is provided access to the service, the method comprising: 

after initial authentication of the client computer has occurred, attempting supplemental 
authentication of the client computer by transmitting a challenge from the service to the client 
computer connecting to the service to determine whether the client computer's current firewall 
and anti-\ iius measures satisfy the requirements of said policy for determining! w hether the c l ient 
computer is in compliance with said specified access policy, w r hcrcin said access policy includes 
attributes of the client computer that are acceptable for permitting access to the service ; 

transmitting a response from the client computer back to the service, for responding to 
the challenge issued by the service that is attempting supplemental authentication of the client 
computer ; and 

based on the response received from the client computer, blocking access to the service 
by the client computer if the client computer computer's current firewall and anti-virus measures 
fail to satisfy the requirements of said policy does not respond appropriately to the challenge 
issu e d by th e s e rvic e. 

59. (Original) The method of claim 58, wherein said access policy includes rules that are 
enforced against selected ones of users, computers, and groups thereof. 

60. (Original) The method of claim 58, wherein said challenge includes at least some 
rules of said access policy that are transmitted to the client computer. 

61 . (Original) The method of claim 58, wherein said access policy is provided at the 
client computer. 

62. (Original) The method of claim 61, wherein the client computer performs a 
compliance check for determining compliance with the access policy and returns the compliance 
check result in response to the challenge. 



63. (Currently amended) The method of claim 58, wherein said attributes include policy 
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further specifies that a selected one of a file integrity policy be in effect at the client computer, a 
file be installed at the client computer, a process be running at the client computer, a particular 
checksum value exist at the client computer, and a particular registry entry exist at the client 
computer. 

64. (Original) The method of claim 58, further comprising: 
otherwise, permitting access to the service by the client computer. 

65. (Original) The method of claim 64, wherein permitting the client computer to access 
the service includes assigning access privileges based on the response received from the client 
computer. 

66. (Original) The method of claim 65, wherein assigning access privileges includes 
issuing a Kerberos ticket for providing said access privileges to the client computer. 

67. (Original) A downloadable set of processor-executable instructions for performing 
the method of claim 58. 

68. (Previously presented) A computer-readable storage medium having processor- 
executable instructions for performing the method of claim 58. 

The following is an examiner's statement of reasons for allowance: specifying a 
supplemental authentication policy to be enforced upon the client's request to access the service, 
the policy establishing firewall and anti-virus measures required to be installed and operational at 
the client in order for the client to be considered adequately secured for accessing the service: 

receiving a request for access to the service from the client; attempting primary 
authentication of the client based on credentials presented by the client; if the client is 
authenticated based on the credentials passes primary authentication , attempting secondary 
authentication by testing the client's current firewall and anti-virus measures against said policy 
to confirm that the client is adequately secured for accessing the service based, at least in part, on 
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attributes of the client ; and if the client fails to pass both primary and secondary authentications , 
providing denying the client access to the service. 

Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Frantz B. Jean whose telephone number is 571-272- 
3937. The examiner can normally be reached on 8:30-6:00 M-f. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nathan J. Flynn can be reached on 571-272-1915. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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/Frantz B. Jean/ 

Primary Examiner, Art Unit 2454 



